Threat Management, Network Security

New BazaLoader lures include phony DMCA complaints, DDoS threats

BazaLoader malware operators have been luring website owners to download the malware through fake notifications regarding sites' involvement in distributed denial-of-service attacks and a phony Digital Millennium Copyright Act infringement complaint, reports BleepingComputer.

BleepingComputer has found that the threat actor behind the attack uses Firebase URLs to send contact forms containing BazaLoader and CobaltStrike, which is similar to the delivery approach for IcedID malware observed by Microsoft in April.

Website developer and designer Brian Johnson has noted that two of his clients have been given fake DDoS attack notifications threatening legal action unless the purported malicious files are promptly cleaned from their systems. Meanwhile, the file attached to the emails has been discovered by malware analyst Brad Duncan as a ZIP archive containing a BazaLoader DLL-fetching JavaScript. BazaLoader communicates with its command-and-control server and prompts Cobalt Strike to ensure other payload delivery and ensure persistence.

Organizations can defend themselves from the social engineering scheme by exercising continued vigilance toward malicious intent in emails.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.